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Sample Business Hierarchy 
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General Format of X509 Version 3 Certificate 
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SAMPLE OEM RSIO 



OEM Root Certificate 

(note: For an SP RSIO the entire chain of SP Root Certificates would be included. For an ISP RSIO the 
ISP Root Certificate would be included.) 
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SAMPLE TRUST-DELEGATION VECTOR 
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CA trusted to issue certificates for SSL clients 
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CA trusted to issue certificates for SSL servers 
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CA trusted to issue certificates for SP clients 
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CA trusted to issue certificates for SP servers 
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CA trusted to issue certificates for SP system software publishers 
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CA trusted to issue certificates for SP application software publishers 
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CA trusted to issue certificates for step-up encryption servers 
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Entity trusted as OEM, can issue OEM RSIOs 
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Entity trusted as SP, can issue SP RSIOs 
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Validation of an HSIO by ISP client 
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Validate the ISP's RSIO (by verifying its signature 
using the ISP's root certificate included in the RSIO) 730 
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contained in the OEM's RSIO 740 
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Validate that the OEM's root certificate is 
included in the ISP's RSIO 770 
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Validate the SP's RSIO - by chaining from the most 
recent root certificate in the RSIO backwards to 
the latest locally known valid root certificate, 
as discussed in the Detailed Description and disclosed in 
the Incorporated Disclosures 780 
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Authentication of an SSL server certificate 
from non-partner SSL server 
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is signed by a CA. 820 



NO 



YES 



determine whether self 
signed and if yes, then 
verify signature and 
proceed with standard SSL 
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